Since its inception more than 20 years ago, the field of intrusion detection has been growing rapidly. Early intrusion detection systems (IDSs) catered only for a single host at most, a small network. As networks expanded and organizations grew, there was clearly a need for large-scale distributed intrusion detection. This led to the emergence of distributed IDSs such as NADIR, Distributed Intrusion Detection System (DIDS) (S. R. Snapp, J. Brentano, G. V. Dias, T. L. Goan, L. T. Heberlein, C. L. Ho, K. N. Levitt, B. Mukherjee, S. E. Smaha, T. Grance, D. M. Teal, and D. Mansur. “DIDS distributed intrusion detection system)-motivation, architecture, and an early prototype.” In Proc. of the 14th National Computer Security Conference, pages 167-176, October 1991.), GrIDS (S. Staniford-Chen, S. Cheung, R. Crawford, M. Dilger, J. Frank, J. Hoagland, K Levitt, C. Wee, R. Yip, and D. Zerkle. “GrIDS—a graph-based intrusion detection system for large networks.” In Proc. of the 19th National Information Security Conference, Baltimore, Md., October 1996.), and AAFID (J. S. Balasubramaniyan, J. O. G. Fernandez, D. Isacoff, E. Spafford, and D. Zamboni. “An architecture for intrusion detection using autonomous agents.” Technical Report 98/05, COAST Laboratory, Purdue University, May 1998). Commercial IDSs have also adopted the distributed data collection and processing paradigm.
Although these conventional IDSs handle distributed intrusion detection, they focus primarily on intrusion detection within only the one organization in which they are located. An IDS in one organization does not communicate with an IDS in a second organization. Without inter-organizational information sharing, the potential of the IDSs and intelligence-gathering ability of these organizations become severely limited. For example, the stand-alone configurations present in conventional systems makes it difficult to detect distributed and stealthy attacks that span across the Internet, such as distributed denial of service (DDoS) attacks.
The conventional infrastructure of the Internet is another factor limiting the ability of organizations to conduct better attack detection and prevention. Since the TCP/IP protocol suite was not designed with security in mind (S. M. Bellovin. “Security weaknesses in the TCP/IP protocol suite.” Computer Communications Review, 2(19): 32-48, 1989), it is infeasible to rely on it as the foundation for security.
The effectiveness of IDSs at detecting sophisticated attacks would increase significantly if there were inter-organizational communication and sharing of information among IDSs.